All Apps and Add-ons

Splunk Add-on for Microsoft Windows: Has anyone else had an issue with the regex for domain account names matching the "-" symbol?

Path Finder

Just wondering if anybody has the issue whereby when you look at your event data such as the following fields

Account_Name
Account_Domain
etc..

If it finds the - as a valid account_name or account_domain. I have a huge amount of domains showing up as -.

When I looked at the regex in the TA, it has the following.

[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = (.+)
FORMAT = dest_nt_domain::"$1"

So if the line matches anything even a - it shows up.

So now my domain name looks like this (including new line)

dest_nt_domain = "-
DOMAIN"

Wouldn't a better regex be something like this?
.+[^$-]

It seems that it must be a bug. Anyone else experience this?

0 Karma

Communicator

This is just one of the problems I had with the Splunk_TA_windows... so I desided to make my own windows app... all of the *as_dest_nt_domain regexes are incorrect, also the "wel-col-kv" regex is incorrect. This is what I have now in my transforms.conf:

# The default regex for the below 10 *_as_dest_nt_domain stanza is not correct for EventCodes that have more than one Account_Domain field. 
# The Target Domain is always the second field, the default regex takes in case of two fields everything and not just the last one.
[Target_Domain_as_dest_nt_domain]
SOURCE_KEY = Target_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Primary_Domain_as_dest_nt_domain]
SOURCE_KEY = Primary_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Group_Domain_as_dest_nt_domain]
SOURCE_KEY = Group_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Account_Domain_as_dest_nt_domain]
SOURCE_KEY = Account_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[New_Domain_as_dest_nt_domain]
SOURCE_KEY = New_Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Domain_as_dest_nt_domain]
SOURCE_KEY = Domain
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[User_ID_as_dest_nt_domain]
SOURCE_KEY = User_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Security_ID_as_dest_nt_domain]
SOURCE_KEY = Security_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Supplied_Realm_Name_as_dest_nt_domain]
SOURCE_KEY = Supplied_Realm_Name
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

[Target_Account_ID_as_dest_nt_domain]
SOURCE_KEY = Target_Account_ID
REGEX = [\-\sa-zA-Z0-9]*(?:(?:\s)(.*))|(.*)
FORMAT = dest_nt_domain::"$1"

# For some reason there isn't always a "-" in an empty field, and in those cases the value of that field is filled with the name of the next field
# Example: dest_nt_domain = "Failure Information:" (EventCode 4625)
# to prevent that the wel-col-kv regex (splunk/etc/system/default/transforms.conf)  needs to be changed
[wel-col-kv]
REGEX = (?=\w)([^:\n\r]+):[ \t]*(?![\n\t])([^\n\t]*)
0 Karma

Builder

It's not an answer on your question, but if someone have problems with "-" in fields and you don't want to have cases with config, you can try another solutions:
eval Account_Name=mvindex(Account_Name,0)
or
eval Account_Name=mvfilter(Account_Name!="-")

0 Karma

Hi Domenico,

The above regex mentioned would fail to extract the trailing "-" if encountered in the value. For e.g. if the value is "abc-" it would only extract "abc". Instead, we can try the below regex that would only neglect "-" and accept all other values:
((?!^-$)(.*))

Thanks,
Chandni

0 Karma

Splunk Employee
Splunk Employee

I've added a link to this onto another bug about this regular expression. Thanks!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!